To: Information Commissioner's Office 

Subject: Formal Response to the ICO’s consultation on a draft direct marketing code of 
practice 

Date: 28th February 2020 


Thank you for sharing your draft code of practice. | would like to submit the below 
response to your consultation, on behalf of the Government Communication Service. In 
particular, we would like to raise the need to differentiate our public good 


communications with that of wider commercial direct marketing. 


Please do not hesitate to contact us with any queries, as we are committed to 
supporting the development of a practical and useful code of practice. 


Yours faithfully, 
T +44 (0 
E cabinetoffice.gov.uk 


Introduction 


The Government Communication Service supports the development of a code of 
practice that provides clear guidance on legal and best practice in direct marketing. In 
particular, we welcome further clarifications on how we can comply in practice with 
GDPR and PECR, which will be of great benefit to government service providers. 


We currently communicate widely with the public, for example the Department for Work 
& Pensions delivered 80,000 texts to reassure UK state pensioners living in the EU that 
their pension payments will continue after Brexit. A significant proportion is done 
through the government's central messaging service GOV.UK Notify, which has 
delivered 616m emails and 79.3m texts since its launch in May 2016. For example, the 
Veterans Welfare Service has used Notify to send appointment reminders for 
approximately 7,000 visits to veterans per year. Notify is a crucial service allowing 
government departments, councils etc. to communicate directly with our citizens on 
matters of public importance and we hope to expand this service in the future. 


The terms of service require that government users “[do] not send unsolicited 
messages, only ones related to a transaction or something the user has subscribed to 
be updated about”, in line with your proposed code of practice. 


Given the benefit that direct government messages achieve, and government 
communicators very strict adherence to obtaining opt-in consent for them, we have two 
main recommendations for the code of practice: 


1. Differentiating public good from direct marketing: We recommend that public 
sector direct communications that have the primary objective of benefit to 
recipients are not classified as ‘direct marketing’. We recommend this be 
achieved through the introduction of a new classification ‘direct messaging in the 
public interest’, to differentiate these use cases from ‘direct marketing’. 

2. Clarifying the exemptions to opt-in consent: We have found that many 
government communicators are unclear on the exemptions to opt-in consent. 
We therefore recommend including more public sector examples where either 
‘soft opt-in’ or public task would apply. 


Below we provide more details on these two recommendations along with concrete 
examples from across government. We hope these provide useful input to your 
consultation and look forward to seeing the final version of the code of practice. 


Questions 
Q1. Is the draft code clear and easy to understand? 


In pages 74 to 78, the code of practice describes the five requirements for a ‘soft opt-in’ to 
apply. On page 23, the following example and analysis is provided: 


“Scenario B: A GP sends the following text message to a patient: ‘Our flu clinic is now open. 
If you would like a flu vaccination please call the surgery on 12345678 to make an 
appointment.’ 


This is more likely to be considered to be direct marketing because it does not relate to the 
patient’s specific care but rather to a general service that is available.” 


We believe that this example in the draft code of practice could cause more confusion than 
clarity, and could easily be amended to fulfil the requirements for a ‘soft opt-in’. Provided the 
patient in the example was given the option to opt out of direct communications when 
providing their contact details to the GP, and again given the opportunity to opt out in the text 
message, then the message from the flu clinic would appear to be a clear example where 
‘soft opt-in’ applies, as the clinic is alerting the patient to a similar service to what was 
previously provided. We would also like to highlight here that a ‘sale’ can occur, even when a 
service is free at the point of delivery - Facebook and Google are commercial companies 
that make extensive use of this model and use contact details to market similar products or 
services to customers. 


Given that ‘soft opt-in’ and its application is not widely understood in government, the 
additional explanation of a compliant example would be extremely useful. For example, if the 
code of practice could demonstrate how the previous example could be turned into a 
compliant one: 


‘Our flu clinic is now open. If you would like a flu vaccination please call the surgery on 
12345678 to make an appointment. If you would like to stop receiving messages 
about the services we offer, please reply STOP to this message.’ 


A real-world example of this is the case of the Department of Health and Social Care’s legal 
responsibility to inform the public about upcoming consultations. Their current application of 
strict rather than soft opt-in, limits the reach and efficacy of their direct communication to 
citizens and clarity would support them in this public task, thus improving the democratic 
participation and feedback to government from private and public bodies. Again, we highlight 
that here the provision of consultations is a ‘sale’ in the sense that a service is provided 
despite being free at the point of use. 


Q2. Does the draft code contain the right level of detail? (When answering 
please remember that the code does not seek to duplicate all our existing 
data protection and e-privacy guidance) 


Exemptions for public task 


As noted in the code of practice draft, there may also be scope in certain cases for ‘public 
task’ serving as the legal basis for direct marketing. It would be useful to practitioners for 
this to be demonstrated with an example. For example, even if a patient at a GP service 
had opted out of direct communications, the practice would be within their rights to 
contact the patient if they had evidence that they had visited at the same time as a patient 
carrying COVID-19. Furthermore, ‘public task’ would justify the strong recommendation of 
medical services in order to protect the health of the recipient and other members of the 
public. 


A real-world example is the Environment Agency’s flood warning service that uses a Civil 
Contingencies Act notice to mobile phone operators so that they can provide people in 
high risk areas with a warning service. Whilst the data is managed in a GDPR-compliant 
way, PECR’s opt-in requirement does not apply. Instead, when mobile numbers are 
added to the system, they are sent a text informing them they’ve been added with the 
option to opt-out. The opt-out rate is around 2% and over 1.5m properties are registered 
with this service. 


Q3. Does the draft code cover the right issues about direct marketing? 
Yes. 


Q4. Does the draft code address the areas of data protection and e-privacy that 
are having an impact on your organisation’s direct marketing practices? 


Yes. 
Q5. Is it easy to find information in the draft code? 
Yes. 


Q6. Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code? 


No. 


Q7. Do you have any other suggestions for the direct marketing code? 


Differentiating public good from direct marketing 


Currently, the code of practice treats public sector direct communications in the same way as 
commercial marketing. However, the goal of public sector communications is, with few exceptions, 
direct benefit to the recipient, whereas the latter achieves consumer benefit via its primary 
objective to sell its products for profit. We therefore believe that the vast majority of government 
communications should not be treated as direct marketing, but rather under a separate category of 
communication, ‘direct messaging in the public interest’, falling under GDPR, but not PECR. 


For example, often the communication will be neither promoting a service nor values, but instead 
seeking to keep citizens informed. Pembrokeshire County Council uses Notify to let people know 
about school closures and East Sussex County Council uses it to send air quality alerts. When the 
Department for Environment, Food & Rural Affairs (DEFRA) contacts anglers who have bought 
multiple short-term licenses that they can save money in future by purchasing a long-term license 
for less, they are actually pursuing a revenue reducing option in the public interest. 


We also seek clarity on cases where citizens pay for government services indirectly, for example 
via taxes. In the same way that a company would provide service information about a product a 
customer had bought, it seems that a council providing updates about rubbish and recycling 
collection details to a council taxpayer is providing a service message, not a marketing one. 


Even when communications do have a clear call to action for the recipient, they form a crucial part 
of government policy objectives and service delivery, and are therefore in the public interest. If 
citizens are not made aware of shared parental leave policy, public health provision, health and 
safety advice and countless other government objectives in a clear and compelling way, then the 
government cannot deliver on the priorities the people have voted for. 


In all the situations described above, we believe the processing of personal data should fall solely 
under GDPR rather than PECR, with a natural legal basis in either ‘legitimate interest’ or ‘public 
task’. 


As required by the ‘legitimate interest’ assessment, we believe that the purpose, necessity and 
balance tests are the most appropriate routes for government communicators to apply. For 
example, for the necessity test, targeted online advertising may be a less invasive, more 
transparent, and more cost-effective method for communicating messages not directly related to 
very specific citizens. In the case of the balance test, we highlight the Centre for Data Ethics & 
Innovation’s recent review of online targeting, which finds that 82% of survey respondents are 
comfortable with the NHS targeting people who would benefit, to encourage them to get a flu jab. 
We support and welcome further research into what the public expects, in order to provide further 
evidence with which the government can balance public benefit with the processing of personal 
data. 


Where government communicators proceed with direct emails or texts under GDPR, we envision 
that best practice requires the ability of citizens to opt-out of further messaging. 


